Format of a numeric parameter is unknown


The format you have defined for a numeric parameter does not match formats defined in either the OpenAPI Specification (OAS) or JSON Schema Specification. Unknown formats cannot be enforced to protect your API, so it is like you had not defined a format at all.

For more details, see the OpenAPI Specification and JSON Schema Validation.


The following is an example of how this type of risk could look in your API definition. The parameter type is set to integer but there is a typo in the format, rendering it unknown:

2  type: integer
3  format: int3
4  name: total
5  in: query
6  description: Number of the objects in the array.

Possible exploit scenario

If you do not specify an enforceable format of numeric values, attackers can try to send unexpected input to your backend server. This may cause the backend server to fail in an unexpected way and open the door to further attacks.

For example, the backend server could throw an exception and return a stack trace on the error. The trace could contain information on the exact software stack used in the implementation. This enables the attacker to launch an attack on specific vulnerabilities known in that stack.

Using your internal, company-specific formats is not currently supported.


Define a known format for all numeric parameters. This ensures that only parameters of the expected format get passed to the backend.

Numeric parameters type integer can have the format int32 or int64. Numeric parameters type number can have the format float or double.

2  type: integer
3  name: total
4  in: query
5  format: int32
6  description: Number of the objects in the array.

If you want to use your internal, company-specific format, make sure to also use properties like maximum, minimum, pattern, and maxLenght to constrain the accepted values.

Copyright 42Crunch 2021